[strongSwan] Please point me in the right direction to encapsulate tap interface layer 2 traffic in a tunnel

flyingrhino flyingrhino at orcon.net.nz
Wed Apr 11 05:04:28 CEST 2018


I am trying to connect a servers-network to several remote 
clients-networks using ipsec/strongswan.
Normally I could do that easily at Layer 3 on my own without troubling 
the forum.

However, I need to pass L2 packets from side to side - this includes ARP 
- because the machines at the initiator left side are being given IP 
addresses from a DHCP server located at the responder left side.

Network description:

- On the initiator machine I have a tap interface that's bridged with 
eth0 that connects to a physical switch. The DHCP clients connect to 
this switch.
I have several of these networks.
Each of these networks is a road-warrior style setup - the network can 
pop up anywhere in the world.

- On the responder machine I also have a tap interface that's bridged 
with eth0 that connects to a switch. The DHCP server and other servers 
connect to this switch.
I must assign IPs to the initiator-side-clients from the responder-side 
DHCP server - I can't have DHCP servers on the remote networks at the 
clients end (where the initiator lives).

Is there a way to tell strongswan/ipsec that it should take all the 
traffic from the tap interface and push it through the tunnel to make it 
appear at the other side tap interface?
If needed - I don't mind setting up multiple tap interfaces on the 
responder - each serving one initiator.

Can you please point me in the right direction?
Do you have an example similar to my scenario that I can look at to 
learn from?

Thank you very much.
A long time openvpn sysadmin now turned strongswan sysadmin!

More information about the Users mailing list